Home site for the Start Programming with Python ebook.
Learn basic and intermediate programming skills in an easy-to-learn and fun-to-use language. Many of the ideas you will learn will carry over to other programming languages and ideas.

Facebook SDK

Thursday, January 2, 2014

Programming Security-Part 4 (Web Development)

Web applications are huge nowadays. While making desktop
applications is still big business, it is more likely that software will be developed
to be used within a web browser. Web development comprises a number of different
technologies, often requiring different skill sets to create. Back-end
programmers rarely deal with the front-end HTML, database admins are
responsible for their little section of the system, and so on. It is a rare
individual who can do all of these things (especially do them well); while one
or two people can make a SOHO application, especially if it is self-hosted,
anything that is going to handle a large number of clients will have to have
teams of people working on them.

Obviously, with all these people, ensuring security in the
design is paramount (or it should be). If any one part of the application is
insecure, the entire system if vulnerable. Each person has to ensure that they
think about security when they are doing their part.

Though the site is outdated, Microsoft has a good page of
web development topics.
It lists 10 vulnerabilities that occur in web apps due to bad design. While I
won’t go into detail about all of these, I’ll touch on some of the more
significant areas.

1.Input validation

2.Authentication

3.Authorization

4.Configuration Management

5.Sensitive Data

6.Session Management

7.Cryptography

8.Parameter Manipulation

9.Exception Management

10.Auditing and Logging

I’ve talked about input validation before but I’ll talk on
it again. Input validation is the front-line in secure programming. If the
attacker can’t get through the front door, hopefully he’ll move on to an easier
target. Input validation attempts to block cross-site scripting, SQL
injections, buffer overflows, and other, related attacks.

If you assume that all input from an external source has a
malicious intent, it will help your mindset when it comes to defensive
programming. Develop a central repository of validation and filtering code that
can be used by other programs; this ensures that the same code is being used
throughout all projects. This makes it easy to patch or upgrade while ensuring
consistency among programs.

While it’s fine to have client-side validation, such as
through JavaScript, ensure you have server-side validation too. What happens if
the client-side software is bypassed somehow? An example of this is newsmedia
paywalls.
By simply disabling JavaScript on the browser, a user can bypass a paywall and
access the content anyways. With no server-side checking, the paywall might as
well be non-existent.

As part of input validation, you need to accept known good
data (based on type, length, format, and range), reject known bad data, and
sanitize what’s left. Sanitizing includes stripping extraneous characters (like
spaces or null characters), escaping out values to create literal text, and
encoding URLs or HTML to make literal text rather than executable scripts.

When working with data over a network, assume that it will
be intercepted. How would you deal with this? If you are sending data such as
passwords and user names unencrypted, it’s only a matter of time before they
are captured and used to break into your system. Therefore, use a secure
transmission channel, like SSH or TLS/SSL, instead of unsecure protocols like
TFTP or Telnet.

If you have a database of valuable information, like credit
card data, addresses, etc., make sure the database is encrypted with a good
encryption scheme. When storing passwords, don’t store in plain text; use a
strong hashing algorithm and salt the passwords first.

Again, if the programming language you’re using has built-in
libraries that will do what you want, use them. Don’t make your own and don’t
rely on an unknown third-party’s library, as you’ll only create new vectors for
attack.

5 comments:

In your blog you have very well explained about the need and necessity of security as if any one of the application or web program's are left unsecured then it can harm the entire system.So we should not rely on the third party software for security and we should make sure that everything is perfectly encrypted and secure from different attacks.

Really helpful tutorial.Your blog is really useful for the users,Especially for the fresh web developers.In my point of view with the help of your blog they can get a lot of information related to the website development.Software and web development company in lucknow